BAT_CRYPTOR.SM01

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %User Temp%\keybtccheck.bin
• %User Temp%\sdel.cmd
• %User Temp%\KEYBTC.txt
• %User Temp%\genesis.btc
• %User Temp%\1024key.btc
• %Application Data%\KEY.PRIVATE
• %User Temp%\PRIVATE\KEY{random}.PRIVATE
• %User Temp%\secring.gpg

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It drops and executes the following files:

• %User Temp%\sampleautoreplicant.js - accesses sites to download malware components

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It creates the following folders:

• %User Temp%\PRIVATE

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other System Modifications

This Trojan adds the following registry entries:

HKEY_CURRENT_USER\Software\Sysinternals\
SDelete
EulaAccepted = "1"

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}lru.org/images/coherence.btc
• http://{BLOCKED}lru.org/images/lsass.btc
• http://{BLOCKED}lru.org/images/spool.btc
• http://{BLOCKED}lru.org/images/spoolsv.btc
• http://{BLOCKED}lru.org/images/sv.btc
• http://{BLOCKED}lru.org/images/tobi.btc
• http://{BLOCKED}lru.org/images/collapse.btc

It saves the files it downloads using the following names:

• %User Temp%\coherence.btc
• %User Temp%\lsass.btc
• %User Temp%\%User Temp%\spool.btc
• %User Temp%\spoolsv.btc
• %User Temp%\sv.btc
• %User Temp%\tobi.btc
• %User Temp%\collapse.btc

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Other Details

This Trojan encrypts files with the following extensions:

• .xls
• .xlsx
• .doc
• .docx
• .xlsm
• .cdr
• .slddrw
• .dwg
• .ai
• .svg
• .mdb
• .1cd
• .pdf

It renames encrypted files using the following names:

• {file name and extension}.keybtc@gmail_com

NOTES:

It encrypts files from drives B:\ to Z:\

It renames the following files as follows:

• %Application Data%\gnupg %Application Data%\gnupg_backup{random number}
• %User Temp%\day.btc to %User Temp%\iconv.dll
• %User Temp%\sad.btc to %User Temp%\ sdelete.exe
• %User Temp%\null.btc to %User Temp%\ taskmgr.exe
• %User Temp%\secring.gpg.gpg to %User Temp%\ KEY.PRIVATE
• %User Temp%\lsass.btc to %User Temp%\lsass.exe
• %User Temp%\coherence.btc to %User Temp%\coherence.exe
• %User Temp%\spoolsv.btc to %User Temp%\spoolsv.exe
• %User Temp%\spool.btc to %User Temp%\blat.lib
• %User Temp%\sv.btc to %User Temp%\blat.dll

It deletes the following folder:

• %Application Data%\gnupg

This Trojan opens the user's default browser and accesses the following sites to display the ransom note:

• http://bit.ly/{BLOCKED}ongi
• http://apps.{BLOCKED}hev.com/2014/08/14/2829

It displays the following ransom note in the opened browser: